From c6f72d448714b5ee57a4923926bab6e0c3fbbb96 Mon Sep 17 00:00:00 2001 From: Felix Date: Fri, 26 Apr 2019 18:02:06 +0200 Subject: [PATCH 1/2] universal8895: Force restorecon for /data/vendor The restorecon_recursive directive in init is only applied if the file_contexts file changed between builds, but not necessarily if any file or folder inside /efs or /persist has changed. The restorecon code checks whether an xattr named "security.sehash" contains a string that matches the current combined hashes of the SELinux context files and skips restoring labels if there is a match, see https://android.googlesource.com/platform/external/selinux/+/refs/tags/android-9.0.0_r35/libselinux/src/android/android_platform.c#1546 Change-Id: Ic0cd848836ee550499d9236f56ed6e939e35f01e --- ramdisk/etc/init.samsungexynos8895.rc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ramdisk/etc/init.samsungexynos8895.rc b/ramdisk/etc/init.samsungexynos8895.rc index 4cad02e..a694d36 100644 --- a/ramdisk/etc/init.samsungexynos8895.rc +++ b/ramdisk/etc/init.samsungexynos8895.rc @@ -36,6 +36,10 @@ on post-fs setrlimit 8 67108864 67108864 on post-fs-data + exec u:r:vendor_toolbox:s0 -- /vendor/bin/toybox_vendor find /data/vendor -type d \ + -exec /vendor/bin/toybox_vendor setfattr -x security.sehash {} \; + restorecon_recursive /data/vendor + # setup cgroup freezer for freecess mkdir /dev/freezer mount cgroup none /dev/freezer freezer -- GitLab From 8617a9f77820ccd9ba72e61ed7a065bef25bede9 Mon Sep 17 00:00:00 2001 From: Jan Altensen Date: Wed, 27 Jul 2022 11:27:31 +0200 Subject: [PATCH 2/2] universal8895: address tee and gatekeeper denials Change-Id: Ia1c3afd8431719efb5462fe2ffa4d4f0505dfb10 --- sepolicy/vendor/hal_gatekeeper_default.te | 3 +++ sepolicy/vendor/tee.te | 4 ++++ 2 files changed, 7 insertions(+) create mode 100644 sepolicy/vendor/tee.te diff --git a/sepolicy/vendor/hal_gatekeeper_default.te b/sepolicy/vendor/hal_gatekeeper_default.te index c9c3b96..5bd1855 100644 --- a/sepolicy/vendor/hal_gatekeeper_default.te +++ b/sepolicy/vendor/hal_gatekeeper_default.te @@ -1,3 +1,6 @@ allow hal_gatekeeper_default gatekeeper_efs_file:file rw_file_perms; allow hal_gatekeeper_default gatekeeper_efs_file:dir search; allow hal_gatekeeper_default efs_file:dir search; + +allow hal_gatekeeper_default tee_efs_file:dir search; +allow hal_gatekeeper_default tee_efs_file:file rw_file_perms; diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te new file mode 100644 index 0000000..7c59193 --- /dev/null +++ b/sepolicy/vendor/tee.te @@ -0,0 +1,4 @@ +allow tee mobicore_data_file:dir search; + +allow tee tee_efs_file:dir r_dir_perms; +allow tee tee_efs_file:file r_file_perms; -- GitLab